b'          AUDIT REPORT \n\nSMITHSONIAN TROPICAL RESEARCH INSTITUTE \n\n      INFORMATION SYSTEMS REVIEW \n\n\n              Number A-03-04 \n\n\n              March 27,2003 \n\n\x0c                                      SUMMARY\n\nThe Office of the Inspector General audited information system controls at the\nSmithsonian Tropical Research Institute (STRI). The purpose of the audit was to evaluate\ninformation system controls regarding system access, server and network security, change\nand configuration management, physical security, and disaster recovery.\n\nThe following points were considered throughout our audit. Adequate security of\ninformation resource systems is a fundamental management responsibility. Of necessity,\nmanagement must strike a reasonable balance between information technology security\nand operational capability.\n\nWe conducted interviews regarding the daily administration of technology resources with\nstaff from STRI Information and Technology. We also spoke with representatives from\nthe HSBC Bank. Through interviews, we gained an understanding of the practices\nemployed concerning system configuration, network analysis, system access, disaster\nrecovery, change management, physical conditions, and financial wire transfers.\n\nOverall, STRI did have some system security controls in place regarding system backup.\nHowever, we determined that STRI system security configurations and safeguards were\ninadequate and the risk to system access and data integrity was high. It is Smithsonian\npolicy, as well as good business practice, that controls be established to maintain\naccountability for the custody and use of resources and to provide reasonable assurance\nthat assets are safeguarded against loss or unauthorized use. Therefore, we made 11\nrecommendations to improve systems security and general system controls at STRI. The\nrecommendations to STRI included:\n\n       secure current identified vulnerabilities;\n       perform a systems security review as defined in Smithsonian Technical Standard\n       and Guideline IT-930-0 1, Automated Information System Security Planning;\n       develop and implement a semiannual security assessment process for system and\n       network assets based on Office of the Chief Information Officer and industry\n       standards;\n       use technical guidance to develop, document, update, and implement server and\n       client configuration settings;\n       develop and implement a disaster recovery plan in accordance with Smithsonian\n       policies and industry guidance;\n       develop and support network and server security training specific to STRI\n       technology staff system administration responsibilities;\n       perform periodic network and personal computer reviews to determine if peer-to-\n       peer programs or any other unauthorized programs or services are installed;\n       reinforce the necessity for all STRI system passwords to comply with Office of the\n       Chief Information Officer password standards;\n       disable, rename, or remove all unnecessary user accounts;\n       remove the folders and files containing images supporting the external private\n       website; and\n\x0c       adjust all STRI websites to ensure that a privacy statement is included as well as\n       ensure that the content is reviewed before the information is displayed on the\n       website.\n\nThe Director of the Smithsonian Tropical Research Institute concurred with the audit\nrecommendations and has already begun taking proactive measures to secure its system\nresources. Overall, we believe that the corrective actions taken are responsive to the\nrecommendations.\n\x0c                                                  TABLE OF CONTENTS \n\n\n                                                                                                                                                  Paae \n\n1. Introduction .....................................................................................................................................\n\n                                                                                                                                                  1\n\n       A. Purpose         ...................................................................................................................................\n\n                                                                                                                                                         1\n\n       B. Scope and Methodology .........................................................................................................\n\n                                                                                                                                      1\n\n       C. Background .............................................................................................................................\n\n                                                                                                                                               1\n\n2. Results of Audit ...............................................................................................................................\n\n                                                                                                                                               2\n\n       STRI Information System Security .............................................................................................\n\n                                                                                                                                  2\n\nTable 1. Averages Based on Center for Internet Security Scores .......................................................3 \n\n\nTable 2. Summary of STRI Network Analyses ..................................................................................\n                                                                                                                          4\n\n\nAppendix A. Industry Standards.......................................................................................................10 \n\n\nAppendix B. Management ~ o m m e n t s f r o mDr. Ira Rubinoff, Director, STM .............................12 \n\n\n                                          ABBREVIATIONS AND ACRONYMS\n\n                  FBI                              Federal Bureau of Investigation\n                  IT                               Information Technology\n                  NIST                             National Institute of Standards and Technology\n                  OCIO                             Ofice of the Chief Information OEficer\n                  SANS                             SysAdmin, Audit, Network, Security Institute\n                  STRI                             Smithsonian Tropical Research Institute\n                  P2P                              Peer-to-Peer\n                  SD                               Smithsonian Directive\n                  SI                               Smithsonian Institution\n\x0c                                    INTRODUCTION\n\nA. Purpose\n\nThe purpose of the audit was to evaluate STRI information system controls for systems\naccess, server and network security,system changes and configuration management, physical\nsecurity, and disaster recovery planning.\n\nB. Scope and Methodology\n\nThe audit was conducted from January 9,2003, to February 27,2003, in accordance with\ngenerally accepted government auditing standards. The audit methodology consisted of\nthe following:\n        identifying and reviewing applicable Institution policies and procedures related to\n        system general controls, computer system security, and integrity of computer\n        resources;\n        comparing STRI\'s system security settings with industry and SI standards;\n        evaluating controls to safeguard and protect networks;\n        assessing the adequacy of controls to prevent and detect unauthorized activities\n        including external intrusions, theft, or misuse of computers and networks; and\n        utilizing guidance issued by the National Institute of Standards and Technology,\n        National Security Agency, and Microsofi Corporation relating to system security\n        configuration, and disaster recovery planning.\n\nWe reviewed:\n       policies, procedures, and controls relating to system security and data integrity;\n       controls over server and network configurations; and\n       controls to prevent and detect unauthorized activities.\n\nAs part of our review, we conducted interviews with STRI technology and administrative\nstaff, and support contractors. We spoke with staff from STRI Information and\nTechnology and STRI contractors from HSBC Bank. Through interviews, we gained an\nunderstanding of the practices employed concerning system configuration, network\nanalysis, system access, disaster recovery planning, and change management.\n\nC. Background\nThe Smithsonian Tropical Research Institute has a 90-year history in Panama going as far\nback as construction of the Panama Canal. The Institute has a scientific interest in\nsurveying the flora and fauna of the area for the purpose of controlling insect borne\ndiseases such as yellow fever and malaria. STRI scientific staff is composed of 10 different\nnationalities and has a core staff of 33 scientists who are specialists in their field. In\naddition, STRI manages and administers its information technology resources locally.\n\x0cI\n                                             RESULTS OF AUDIT\n\n    STRI Information System Security\n\n    Information system resources at STRI can be strengthened. Specifically,\n          server configurations are not documented, not up-to-date, and do not meet\n          industry standards;\n          sensitive network and accounting system resources are vulnerable;\n          no documented disaster recovery plan exists; and\n          staff is using unauthorized peer-to-peer Internet file transferring programs.\n\n    STRI systems are at risk because its staff has not performed any recent system security\n    assessments\'. Without periodic system security assessments STRI system resources are\n    vulnerable and not up-to-date and could compromise financial transactions and disrupt\n    or cease network and computer operations.\n\n    Background\n\n    We evaluated STRI system security and disaster recovery plan at Panama City, Panama.\n    We used Smithsonian Directives and industry guidance and standards from the National\n    Institute of Standards and Technology, General Accounting Office, National Security\n    Agency, and Microsoft Corporation. The evaluation included a review of operating\n    system configurations, user accounts, network ports, and vulnerable services. *\n\n    Smithsonian Directive 115, Management Controls, revised July 23, 1996,lists standards\n    that shall apply to Institution units. The directive requires managers to take systematic\n    and proactive actions to develop and implement appropriate, cost effective management\n    controls. It also requires that controls established shall provide reasonable assurance that\n    assets are safeguard against waste, loss, unauthorized use, and misappropriation.\n\n    Smithsonian Directive 931, Use of Computers e5 Networks, August 5,2002, requires system\n    administrators to perform data back up and offsite storage of critical data. In addition,\n    "Smithsonian Institution Computer Security Handbook," September 9, 1993, provides\n    computer security policies and procedures for all Smithsonian components to develop\n    disaster recovery plans. Disaster recovery safeguards consist of developing a contingency\n    plan, storing the plan offsite, regularly backing up files and software, identifying an\n    alternate offsite processing site, and testing the contingency plan. According to the\n    Handbook, the purposes of a contingency plan are to determine actions that will\n    minimize the effects of undesirable occurrences, document emergency response actions\n    like system restart, and establish procedures for recovering from losses.\n    Smithsonian Institution Technical Standard & Guideline IT-930-01, Automated\n    Information System Security Planning, Version 1.O, November 2002, provides guidance\n    to IT managers in producingpystem security planning documents and describes security-\n    related planning activities. It also explains how security requirements are generated,\n\n    \'OCIO Guidance recommends performing security risk assessments to determine the extent of potential\n    threats and risks with an automated information system throughout its life cycle. The output of this process\n    helps identity appropriatecontrols for reducing or eliminating risks and vulnerabilities.\n    \'Registry settings and Novel1 servers were not evaluated.\n\x0ctracked, incorporated, and tested within the lifecycle. Implementation of a sound\nautomated information system security planning process can help build a trusted\nenvironment and provide security necessary to conduct business electronically at and\nwithin the Institution.\n\nSmithsonian Institution, Technical Reference Model (TRM), Version 1.0, December\n2001, IT-920-01, applies to program area and technical managers, and others responsible\nfor information technology systems and services. Compliance is required unless\nspecifically waived by the Chief Information Officer. The TRM recognizes that the\nInstitution is composed of varied and incompatible hardware and software. The\nheterogeneous nature of the institution\'s technology infrastructure has constrained its\nability to infuse new technology. The TRM attempts to apply an enterprise approach to\nmanaging technology infrastructure. A more homogenous, standards-based, information\ntechnology infrastructure will provide the foundation for distributed systems, which are\nrobust and scalable. The TRM attempts to establish consistent information and\ncommunication services throughout the Institution. A standards approach will provide\nthe ability to update and replace technology in a more cost effective manner. The TRM\nidentifies Windows 2000 as the preferred desktop operating standard.\n\nThe Computer Security Act of1 987 requires the establishment of minimum acceptable\nsecurity practices related to federal computers. This act requires the identification and\nprotection of systems containing sensitive information and calls for a computer standards\nprogram and security training for users.\n\nAppendix A lists industry standards used to evaluate STRI information system resources.\n\nResults\n\nWe evaluated STRI system configurations that included server and sub-network security.\nUnder the current system configuration, we determined that STRI servers and network\nsystems are vulnerable and should be strengthened to meet industry security standard\nrecommendations. We used the Center for Internet Security Scoring Tool as a basis to\nevaluate each Microsoft NT server. The tool produces a score by applying the "Windows\nSecuri Scoring Tool" which is a number between one and ten, with ten being the most\n         tY\nsecure. STRI falls in the low range of average scores with a score of 3.8. Table 1\nsummarizes the averages for hotfixes and server scores for each location. On a positive\nnote, the servers were up-to-date on service packs.\n\nTable 1. Averages Based on Center for Internet Security" Scores\n                            I ACCAPP I NAOSFTP 1 Webshield 1\n                       I Average I        Server           Server     I   server     1\n No. of missing"\n hotfixes and\n security patches           7.67              8               7               8\n Missing senrice\n pack4                         0              0               0               0\n Score                        3.8           3.8              3.8            3.8\n\n\n\'The Scoring Tool criteria are divided into four categories: ( 1 ) Service Packs and Hotfmes, (2) Policies, (3) \n\nSecurity Settings and (4) Available Services and Other System Requirements. \n\n\'STRI Windows NT servers had no missing service packs. \n\n\n\n                                                       3\n\x0c   The failure to maintain servers with the most current versions is a risk that can be easily\n   mitigated by maintaining software up-to-date with service packs and hotfixes." According\n   to the NIST, maintaining and updating applications with the latest hotfixes, patches, and\n   service packs is necessary to maintain the operational availability, confidentiality, and\n   integrity of information technology systems. Not all vulnerabilities have related patches,\n   therefore, system administrators must be aware of vulnerabilities and patches, and have a\n   means to mitigate "unpatched" vulnerabilities through other methods.\n\n   Although a tape backup process is in place, STRI had not implemented a disaster recovery\n   plan for IT services. A disaster recovery plan assesses the adequacy and ensures continuity\n   of operations if either a complete system failure or failure of system components occurs.\n   For its system servers, system administrators have an established tape backup process.\n   The tapes, however, are not stored off site. Our evaluation of the physical server\n   conditions identified a clean and secure environment. Server room access is restricted by\n   a card reader lock, fire suppression is available, and access logs reviewed periodically.\n\n   As part of our network analysis, we performed network scans and limited penetration\n   testing on the STRI network. Specifically, we researched and used the most common\n   identified port and service vulnerabilities. We scanned the STRI network and were able to\n   obtain access to critical computers and sensitive information at STRI. Table 2 shows a\n   summary of weak computer access vulnerabilities and non-password compliance at STRI.\n   Table 2. Summary of STRI Network Analyses\n                                                                                     I Administrative I\n                                                       Non                              Accounts &         P2P Internet\n              Computers         Passwords           Compliant          Blank            Passwords          File Sharing\n Subnet        Scanned         Compromised          Passwords        Passwords         Compromised           Installed\n   232             32                  39                55                16                 41                  16\n   233            105                  26                26                12                 16                   1\n   234             86                  11                11                10                  7                   0\n   235              2                   0                 0                 0                  0                   0\n\n\n   238              52                13                 13                 7                 12                   0\n   239              97                20                 20                13                 16                   3\n  Total            397               110                126                59                 92                  20 \n\nPercentage                         27.71%             31.74%            14.86%             23.17%                5.04% \n\n\n   Our penetration testing successfully compromised STRI computers used by the\n   accounting department to perform bank wire transfers and an IT department computer\n   used to manage the STRI network resources. We were able to identify the accounting\n   departments different wire transfers and timing pattern of its wire transfers. With this\n   knowledge we could open any one and modify the electronic files that contained\n   individual names, bank routing numbers, and amounts thereby possibly altering\n\n   "A service pack corrects known problems and provides tools, drivers, and updates that extend functionality\n   and keep the software code updated. Hotfures and security patches are intended for enterprise\n   implementations and provide an extra level of security for mission-critical software systems. Specifically,\n   security patches eliminate vulnerabilities by mitigating recognized exploits.\n\x0cindividual wire transfers that averaged about $21,000 every two weeks. Also, we were able\nto gain access to 110 STRI user accounts or 27 percent that included the main computer\nused to monitor and manage STRI network resources. A compromise of this machine\ncould provide an opportunity to cause havoc to STRI and SI networks that includes\ndisabling the STRI network communications."\n\nIn addition, from our network scans and analyses, we identified a STRI computer that is\nbeing used to host files that link to a non-SI website. The website is of a former STRI\nemployee. The former employee has since resigned and left STRI all together as of July\n200 1. Although STRI IT staff manages two web servers, we identified numerous other\nSTRI computers accessible through the Internet and some were hosting web sites. For\nexample, the NAOS Molecular Group maintains a website that links back to the STRI\nmain page. However, the NAOS website does not contain a privacy statement and it\ncontains a cartoon link that refreshes itself. The cartoons displayed on the NAOS website\nare questionable and could be viewed as inappropriate. In addition, there is no control\non what type of images will be displayed since the cartoon is linked to a non-Smithsonian\nwebsite. We also identified other computers with Apache web server operating systems\nthat are vulnerable to several FBI and SANS Institute top 20 vulnerabilities.\'\n\nFurther analyses of STRI computers identified that staff are using peer-to-peer programs\nsuch as Kazaa a well recognized Internet file transfer program. Use of peer-to-peer\ntechnology ( ~ 2 ~puts\n                    " ) STRI systems and the SI network at risk. We found that staff was\nusing p2p programs such as instant messaging and Internet file sharing programs. Instant\nmessaging is used to communicate with others through the Internet and the file sharing\nprogram is used for personal downloading of music and video files. As a result, STRI and\nSI system resources are vulnerable to viruses, worms, and denial of service attacks.\n\nAlso, these well known file sharing programs pose a risk. Because shared files are\ncommonly video and music files, which are extremely large in size as compared to normal\nnetwork file trafic, they congest network links and unnecessarily occupy bandwidth\nrequired for official network trafic. Further, storage of large files has the potential to fill\nup hard drive and network file storage. It is well known that file sharing applications and\ntheir use provide a conduit for malware to circumvent firewalls and enter networks\nbecause almost all the sources of downloads originate from untrusted sources. Additional\nrisks include copyright infringements and viruses and Trojan horse program propagation.\nSTRI systems are at risk because the last system security assessment was performed in\n1994. STRI IT staff relies on OCIO to provide guidance and assessments of its network,\nserver, and desktop computers. Information technology staff has applied its security\nattention on keeping its Novell network and Novell file server\'s up-to-date and secure. In\naddition, according to STRI IT management, computer resources have not been upgraded\nto the OCIO Technical Reference Model because of budget funding limitations.\nAs a result, without periodic security assessments STRI system resources are vulnerable\nand could disrupt or cease network and computer operations. In addition, without\n\n%Although access was gained to the wire transfer files, no files, accounts, or amounts were altered.\n h he Apache web computers vulnerabilities include remote open secure socket layer vulnerable to the\nSlapper Worm virus, traversal encoding, and ping of death denial of service.\n"According to the SANS Institute, p2p technology is a communication model in which each computer has\nthe ability to initiate a communication session with other computers running p2p software. P2P\napplications enable users to use the Internet to exchange files and communicate.\n\x0cstandard security system configurations STRI system resources are vulnerable to\nunauthorized, undetected activities, and possible financial losses.\n\nConclusion\n\nBased upon our configuration and network analyses, we believe that STRI can improve\nsystems security by introducing an assessment process into its IT administration duties.\nImplementing security assessments and performing periodic network scans can identify\nrisks thereby limiting vulnerabilities and preventing system compromises.\n\nRecommendations\n\nWe made 11 recommendations to the Director, Smithsonian Tropical Research Institute:\n\n    1. Secure current identified vulnerabilities.\n\nManagement Comments\n\nConcur. STRI IT staff has already begun updating its Windows NT servers and policies\nand security settings have been set in the Fundware server. Completion dates for the\nremaining Windows NT server is expected by April 25,2003. Network scans have been\nperformed and unauthorized ports and services will be closed by March 28, 2003.\n\nOfice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   2. \t Perform a systems security review as defined in SI Technical Standard and \n\n        Guideline IT-930-01, AIS Security Planning. \n\n\nManagement Comments\n\nConcur. STRI IT staff plans to perform a systems security review according to SI\nTechnical Standard and Guideline IT-930-01, AIS Security Planning with a planned\ncompletion date of June 27,2003.\n\nOfice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   3. \t Develop and implement a semiannual security assessment process for system and\n        network assets that includes server configuration evaluations and network scans\n        based on OCIO and industry standards.\n\nManagement Comments\n\nConcur. Beginning in September 2003, a security assessment will be performed\nsemiannually.\n\x0cOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n    4. \t Use technical guidance to develop, document, update, and implement server and\n       client configuration settings that includes application servers, web servers, and any\n       other computer that is accessible and used on the Internet.\n\nManagement Comments\n\nConcur. Implementation of the Technical Reference Model was initiated in the beginning\nof 2003 and is contingent upon available budget. A target compliance date of August 29,\n2003, is planned.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation.\n\n   5. \t Develop and implement a disaster recovery plan in accordance with SI policies\n        and industry guidance.\n\nManagement\n    -      Comments\n\nConcur. Corrective action has been initiated based on SI and industry guidance and is\ncontingent upon completion of recommendation two. September 26,2003 is the planned\ntarget date.\n\nOfice of the Inspector General Response\n\nThe Director\'s actions are responsive to the recommendation.\n\n   6. \t Develop and support network and server security training specific to STRI \n\n        technology staff system administration responsibilities. \n\n\nManagement Comments\n\nConcur. Management plans to provide Windows NT and 2000 security training to its\nserver administrators and system security staff during the current fiscal year.\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   7. \t Perform periodic network and PC reviews to determine if p2p programs or any\n       other unauthorized programs or services are installed and take appropriate\n       administrative action when necessary as well as removal of these programs and\n       files.\n\x0cManagement\n    -      Comments\n\nConcur. Management has begun eliminating P2P and unauthorized programs. Planned \n\ncompletion date of July 25,2003 is planned with future reviews performed semiannually. \n\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   8. \t Reinforce the need that all STRI system passwords comply with OCIO password\n        standards especially for information technology staff with administrative\n        responsibilities.\n\nManagement Comments\n\nConcur. Management plans that all passwords will comply with OCIO standards by July \n\n25,2003, \n\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   9. \t Disable, rename, or remove all unnecessary user accounts, particularly within the\n        accounting department.\n\nManagement Comments\n\nConcur. Management plans to remove all unnecessary accounts by July 25,2003.\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n    10. Remove the folders and files containing images supporting the external private\n        website.\n\nManagement Comments\n\nConcur. The files supporting the external website have been removed as of February 27, \n\n2003. \n\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\n   11. Adjust all STRI websites to comply with SI standards of maintaining a privacy\n       statement as well as ensuring content is reviewed before public display on the\n       website.\n\x0cManagement\n    -      Comments\n\nConcur. Content of the website is being reviewed by the Office of Public Information \n\nwith a target completion date of April 30,2003. \n\n\nOffice of the Inspector General Response \n\n\nThe Director\'s actions are responsive to the recommendation. \n\n\x0cAppendix A. Industry Standards\n\nNational Security Agency Research Study by Trusted Systems Services, Windows NT\nSecurity Guidelines Considerations Q Guidelinesfor Securely Configuring Windows NT in\nMultiple Environments, 1999, provides guidelines for countering known attacks on\nWindows NT installations that expose or modify user data maliciously. The goal is to\nmake Windows NT as secure as reasonably and practically possible. Implicit in the\nguidelines is the understanding that recommendations must be both effective against\ncertain threats and also practical. A balance is necessary between security and operations\nbecause some controls impede operational capability.\n\nNIST, "The Contingency Planning Guide for Information Technology Systems," December\n2001, provides instructions, recommendations, and considerations for government IT\ncontingency planning. According to the guidance, some type of documented procedures\nshould be in place to provide for the recovery of files, address disaster recovery, and\nidentify critical processing data. The plan should allow for periodic testing and should\nensure that personnel understand their respective roles during a disaster.\n\nNIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing\nlnformation Technology Systems, September 1996, defines eight principles used as an\nanchor on which the federal community should base their information technology\nsecurity program. This guidance defines the purpose of computer security as a way to\nprotect an organization\'s valuable system resources, through the selection and application\nof appropriate safeguards. A security program helps the organization\'s mission by\nprotecting its physical and financial resources, reputation, legal position, employees and\nother tangible and intangible assets.\n\nNIST Special Publication 800-18, Guide for Developing Security Plans for Information\nTechnology Systems, December 1998, states that the objective of system security planning\nis to improve the protection of information technology resources. All federal systems\nhave some level of sensitivity and require protection as part of good management\npractice. According to NIST, system security plans should document the protection of\nthe system. Additionally, the completion of system security plans is a requirement of the\nOffice of Management and Budget Circular A- 130, "Management of Federal Information\nResources," Appendix 111, "Security of Federal Automated Information Resources," and\nPublic Law 100-235, "Computer Security Act of 1987." The purpose of the security plan\nis to provide an overview of the security requirements of the system and describe the\ncontrols in place for meeting those requirements. The system security plan also delineates\nresponsibilities and expected behavior of all individuals who access the system.\nNIST Special Publication 800-26, Security Self-Assessment Guidefor Information\nTechnology Systems, November 2001, states adequate security of information and the\nsystems that process it is a fundamental management responsibility. This document\nprovides guidance on applying a framework by identifying 17 control areas, such as those\npertaining to identification and authentication, and contingency planning. The guide\nexplains that officials must understand the current status of their information security\nprogram and controls in order to make informed judgments and investments that\nappropriately mitigate risks to an acceptable level. This self-assessment guide provides a\nmethod for agency officials to determine the current status of their information security\nprogram.\n\x0cSysAdmin, Audit, Network, Security Institute (SANS),Peer-to-Peer Networking, October\n29,2001, concludes that the use of p2p software is a credible threat to network security.\nIn addition, the limited documentation surrounding the technology hinders the capability\nof network and system administrators to analyze and obtain knowledge of vulnerabilities\nassociated with its use. Often system administrators are unaware that users have\ndownloaded and installed these applications. This lack of awareness renders system\nadministrators incapable of protecting systems from the many p2p security loopholes.\nSANS notes the following problems with p2p technology:\n        unnecessary network bandwidth utilization that congests networks;\n       illegal transfers that involve copyrighted material;\n       information leakage and loss of control over the data on computers and networks;\n       virus and Trojan propagation downloaded from untrusted sites; and\n       Internet protocol and machine name disclosure outside the internal trusted\n       network and firewall circumvention.\n\x0cAppendix B. Management Comments from Dr. Ira Rubinoff, Director, STRI\n\n\n 0        Smithsonian Tropical Research Institute                                             Memo\n          Ollice of the Director\n\n\n\n\n   Date March 13,2003\n     To Thomas D. Blair, SI Inspector General\n      cc SI: Dennis Shaw, Jason-Robert Scott, David Cole\n         STRI: Georgina de Alba, Francisco Rivera\n  From Ira Rubinoff\n Subject Review of draft audit report on information system controls at STRI\n\n          Thank you for the opportunity to review the audit report on Information Systems Controls\n          at STRI. We concur with all the recoinmendations of the report and in concurrence with\n          the STRI IT department, the corrective action and target date for completing the action\n          are indicated after each recommendation.\n\n          STRI has a total of twelve servers. Eight servers use Novell as the network operating\n          system and four servers use Windows NT. The report concentrates in the Windows NT\n          environment. Novell servers were not evaluated during the audit. Our Novell servers are\n          up-to-date and secure.\n\n                                        Recommendations and Corrective Actions.\n\n          1.       Secure Current Vulnerabilities.\n                   a) Hotfixes and patches.\n                   We started to update all Hotfixes and Patches in our NT servers on February 17,\n                   2003. Target completion date: April 25,2003.\n\n                   b) Policies and Security Settings.\n                   Policies and Security Settings have not been set in the Fundware server. Polices\n                   and Security Settings were completed in the remaining NT servers on February\n                   28,2003. Target completio~ldate: March 28,2203.\n\n                   c) Ports and Available Services.\n                   Scans were performed. As a result, ports and services that were not authorized to\n                   the users were closed as detected. Target completion date: May 30,2003.\n\n          2.       Perform a Systems Security Review.\n                   A Systems Security review will be performed according to SI Technical Standard\n                   and Guideline IT-930-01. AIS Security Planning. The review will initiate in April\n\n          SMITHSONIAN INSTITUl\'ION\n          Srnithsonian Tropical Research Institute\n          Unit 0948\n          APO AA 34002\n          507 212 111 10 Telephone\n          507 212.8150 Fay\n                               E-mail\n          rubinot~~~~tivoli.si.edu\n\x0c          2003 and the target completion date is June 27,2003.\n\n3. \t      Develop and implement a semiannual security assessment.\n          Starting September 2003. a security assessment will be performed semiannually.\n\n4. \t      Use technical guidance to develop. document. update, and implement server and\n          client configuration settings.\n          The impleinentation of the Teclinical Referenced Model was initiated at the\n          begi~ulingof this calendar year. Coiiipletioll of this recommendation is contingent\n          to budget constraints. Target completion date: August 29,2003.\n\n5. \t      Develop and implement a disaster recovery plan.\n          Corrective action will be initiated based on SI policies and Industry guidance for\n          illis recommendation after recom~nendatioiinumber two is completed. Target\n          co~npletioildate: September 26, 2003.\n\n6. \t      Develop and support network and server security training.\n          Sever Administrators will received NT and Windows 2000 security training, and\n          hands-on training from ST System Security personnel during the current fiscal\n          year.\n\n7. \t      Perform periodic network and PC reviews.\n          The elimination of p2p programs and unauthorized programs has been initiated.\n          We are planning to complete our first review on July 25,2003.\n          Futures reviews will be iilcluded in the semiannual security assessment.\n\n8. \t      Con~plywith OClO password standards.\n          All passwords will comply with OClO standards. Target completion date: July 25,\n          2003.\n\n9. \t      Disable, rename, or reinove all unnecessary accounts.\n          Unnecessary accounts will be removed. Target completion date: July 25,2003.\n\n10. \t     Remove the folders and fiIes containing images supporting the external private\n          website.\n          Completion date: February 27,2003.\n\n11.       Adjust all STRI website to comply with S1 standards of maintaining a privacy\n          statement as well as ensuring content is reviewed before public display on the\n          website.\n          Content of website is being reviewed by the Office of Public Information. Target\n          completion date: ApriI 30,2003.\n\n\nSMITHSONIAN INS\'I\'Il\'UTlON\nSmithsonian Tropical Research Institute\nUnit 0948\nAPO AA 34007\n507.212.8l I0 \'lblephone\n507.212.8150 I\'OX\nruhinotl%j3livoli.si.edu E-mail\n\x0c'